From mboxrd@z Thu Jan 1 00:00:00 1970 From: Maxim Cournoyer Subject: bug#37318: [PATCH] OpenNTPD generated config is convoluted Date: Sat, 07 Sep 2019 13:21:27 +0900 Message-ID: <87sgp8virc.fsf_-_@gmail.com> References: <87r24yvw0p.fsf@gmail.com> <875zm5wyxh.fsf_-_@gmail.com> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:470:142:3::10]:50005) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1i6SEe-00076k-MZ for bug-guix@gnu.org; Sat, 07 Sep 2019 00:22:06 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1i6SEc-00006F-AZ for bug-guix@gnu.org; Sat, 07 Sep 2019 00:22:04 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:56891) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1i6SEc-000067-1K for bug-guix@gnu.org; Sat, 07 Sep 2019 00:22:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1i6SEb-0002Ay-Qt for bug-guix@gnu.org; Sat, 07 Sep 2019 00:22:01 -0400 Sender: "Debbugs-submit" Resent-Message-ID: In-Reply-To: <875zm5wyxh.fsf_-_@gmail.com> (Maxim Cournoyer's message of "Fri, 06 Sep 2019 18:34:34 +0900") List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: 37318@debbugs.gnu.org --==-=-= Content-Type: multipart/mixed; boundary="=-=-=" --=-=-= Content-Type: text/plain Hello, The attached patches fix this issue as well as the openntpd package not being able to load the CA cert used to authenticate constraint servers. It depends on the NTP patches posted here: bugs.gnu.org/37295. --=-=-= Content-Type: text/x-patch Content-Disposition: attachment; filename=0001-gnu-openntpd-Fix-error-CA-errors-when-using-constrai.patch Content-Transfer-Encoding: quoted-printable From=208a1d7720fd37206c33a6887e6d3ba354349ca0fa Mon Sep 17 00:00:00 2001 From: Maxim Cournoyer Date: Fri, 6 Sep 2019 18:52:51 +0900 Subject: [PATCH 1/4] gnu: openntpd: Fix error CA errors when using constraints. The error printed by nttpd was "constraint: failed to load constraint ca" w= hen libressl tried loading the file /etc/ssl/cert.pem. The problem was investigated as part of fixing issue 37318 (see: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D37318). * gnu/packages/ntp.scm (openntpd)[configure-flags]: Use the '--with-cacert' flag to specify the location of the certificate authority file of libressl. =2D-- gnu/packages/ntp.scm | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/gnu/packages/ntp.scm b/gnu/packages/ntp.scm index 419b6d7321..363496817f 100644 =2D-- a/gnu/packages/ntp.scm +++ b/gnu/packages/ntp.scm @@ -108,8 +108,11 @@ computers over a network.") "0fn12i4kzsi0zkr4qp3dp9bycmirnfapajqvdfx02zhr4hanj0kv")))) (build-system gnu-build-system) (arguments =2D '(#:configure-flags '("--with-privsep-user=3Dntpd" =2D "--localstatedir=3D/var") + '(#:configure-flags `( "--with-privsep-user=3Dntpd" + "--localstatedir=3D/var" + ,(string-append "--with-cacert=3D" + (assoc-ref %build-inputs "libr= essl") + "/etc/ssl/cert.pem")) #:phases (modify-phases %standard-phases (add-after 'unpack 'modify-install-locations =2D-=20 2.23.0 --=-=-= Content-Type: text/x-patch Content-Disposition: attachment; filename=0002-services-openntpd-Remove-useless-let.patch Content-Transfer-Encoding: quoted-printable From=20bd4124cb0eb85210df296c412b87276a0e2fba4b Mon Sep 17 00:00:00 2001 From: Maxim Cournoyer Date: Fri, 6 Sep 2019 21:12:26 +0900 Subject: [PATCH 2/4] services: openntpd: Remove useless let. * gnu/services/networking.scm (openntpd-shepherd-service): Remove useless l= et. =2D-- gnu/services/networking.scm | 68 ++++++++++++++++++------------------- 1 file changed, 34 insertions(+), 34 deletions(-) diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm index c45bfcdad9..dd2f9e29e2 100644 =2D-- a/gnu/services/networking.scm +++ b/gnu/services/networking.scm @@ -508,41 +508,41 @@ make an initial adjustment of more than 1,000 seconds= ." (match-record config (openntpd listen-on query-from sensor server servers constraint-from constraints-from allow-large-adjustment?) =2D (let () =2D (define config =2D (string-join =2D (filter-map =2D (lambda (field value) =2D (string-join =2D (map (cut string-append field <> "\n") =2D value))) =2D '("listen on " "query from " "sensor " "server " "servers " =2D "constraint from ") =2D (list listen-on query-from sensor server servers constraint-= from)) =2D ;; The 'constraints from' field needs to be enclosed in double= quotes. =2D (string-join =2D (map (cut string-append "constraints from \"" <> "\"\n") =2D constraints-from)))) =2D =2D (define ntpd.conf =2D (plain-file "ntpd.conf" config)) =20 =2D (list (shepherd-service =2D (provision '(ntpd)) =2D (documentation "Run the Network Time Protocol (NTP) daemon= .") =2D (requirement '(user-processes networking)) =2D (start #~(make-forkexec-constructor =2D (list (string-append #$openntpd "/sbin/ntpd") =2D "-f" #$ntpd.conf =2D "-d" ;; don't daemonize =2D #$@(if allow-large-adjustment? =2D '("-s") =2D '())) =2D ;; When ntpd is daemonized it repeatedly tries = to respawn =2D ;; while running, leading shepherd to disable i= t. To =2D ;; prevent spamming stderr, redirect output to = logfile. =2D #:log-file "/var/log/ntpd")) =2D (stop #~(make-kill-destructor))))))) + (define config + (string-join + (filter-map + (lambda (field value) + (string-join + (map (cut string-append field <> "\n") + value))) + '("listen on " "query from " "sensor " "server " "servers " + "constraint from ") + (list listen-on query-from sensor server servers constraint-from)) + ;; The 'constraints from' field needs to be enclosed in double quot= es. + (string-join + (map (cut string-append "constraints from \"" <> "\"\n") + constraints-from)))) + + (define ntpd.conf + (plain-file "ntpd.conf" config)) + + (list (shepherd-service + (provision '(ntpd)) + (documentation "Run the Network Time Protocol (NTP) daemon.") + (requirement '(user-processes networking)) + (start #~(make-forkexec-constructor + (list (string-append #$openntpd "/sbin/ntpd") + "-f" #$ntpd.conf + "-d" ;; don't daemonize + #$@(if allow-large-adjustment? + '("-s") + '())) + ;; When ntpd is daemonized it repeatedly tries to res= pawn + ;; while running, leading shepherd to disable it. To + ;; prevent spamming stderr, redirect output to logfil= e. + #:log-file "/var/log/ntpd")) + (stop #~(make-kill-destructor)))))) =20 (define (openntpd-service-activation config) "Return the activation gexp for CONFIG." =2D-=20 2.23.0 --=-=-= Content-Type: text/x-patch Content-Disposition: attachment; filename=0003-services-openntpd-Add-test-for-issue-3731.patch Content-Transfer-Encoding: quoted-printable From=20c88b2a75ba9325979143458b2de024bb309563fd Mon Sep 17 00:00:00 2001 From: Maxim Cournoyer Date: Sat, 7 Sep 2019 09:24:43 +0900 Subject: [PATCH 3/4] services: openntpd: Add test for issue #3731. See http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D37318. * gnu/services/networking.scm (openntpd-configuration->string): New procedu= re, extracted from top of the `openntpd-shepherd-service' to make it testable. (openntpd-shepherd-service): Adapt following the move of the code to the ab= ove procedure. * tests/networking.scm: Add a test for the `openntpd-configuration->string' procedure. =2D-- gnu/services/networking.scm | 40 ++++++++++++------------ tests/networking.scm | 62 +++++++++++++++++++++++++++++++++++-- 2 files changed, 81 insertions(+), 21 deletions(-) diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm index dd2f9e29e2..432f3a80ee 100644 =2D-- a/gnu/services/networking.scm +++ b/gnu/services/networking.scm @@ -504,28 +504,30 @@ make an initial adjustment of more than 1,000 seconds= ." (allow-large-adjustment? openntpd-allow-large-adjustment? (default #f))) ; upstream default =20 =2D(define (openntpd-shepherd-service config) +(define (openntpd-configuration->string config) (match-record config =2D (openntpd listen-on query-from sensor server servers constraint-from =2D constraints-from allow-large-adjustment?) =2D =2D (define config =2D (string-join =2D (filter-map =2D (lambda (field value) =2D (string-join =2D (map (cut string-append field <> "\n") =2D value))) =2D '("listen on " "query from " "sensor " "server " "servers " =2D "constraint from ") =2D (list listen-on query-from sensor server servers constraint-from= )) =2D ;; The 'constraints from' field needs to be enclosed in double qu= otes. =2D (string-join =2D (map (cut string-append "constraints from \"" <> "\"\n") =2D constraints-from)))) + (listen-on query-from sensor server servers constraint-from + constraints-from) + (string-join + (filter-map + (lambda (field value) + (string-join + (map (cut string-append field <> "\n") + value))) + '("listen on " "query from " "sensor " "server " "servers " + "constraint from ") + (list listen-on query-from sensor server servers constraint-from)) + ;; The 'constraints from' field needs to be enclosed in double quotes. + (string-join + (map (cut string-append "constraints from \"" <> "\"\n") + constraints-from))))) + +(define (openntpd-shepherd-service config) + (let ((openntpd (openntpd-configuration-openntpd config)) + (allow-large-adjustment? (openntpd-allow-large-adjustment? config)= )) =20 (define ntpd.conf =2D (plain-file "ntpd.conf" config)) + (plain-file "ntpd.conf" (openntpd-configuration->string config))) =20 (list (shepherd-service (provision '(ntpd)) diff --git a/tests/networking.scm b/tests/networking.scm index 001d7df74d..d56760fa4d 100644 =2D-- a/tests/networking.scm +++ b/tests/networking.scm @@ -17,11 +17,19 @@ ;;; along with GNU Guix. If not, see . =20 (define-module (tests networking) + #:use-module (ice-9 regex) #:use-module (gnu services networking) #:use-module (srfi srfi-64)) =20 ;;; Tests for the (gnu services networking) module. =20 +(test-begin "networking") + + +;;; +;;; NTP. +;;; + (define ntp-server->string (@@ (gnu services networking) ntp-server->strin= g)) =20 (define %ntp-server-sample @@ -30,8 +38,6 @@ (address "some.ntp.server.org") (options `(iburst (version 3) (maxpoll 16) prefer)))) =20 =2D(test-begin "networking") =2D (test-equal "ntp-server->string" (ntp-server->string %ntp-server-sample) "server some.ntp.server.org iburst version 3 maxpoll 16 prefer") @@ -47,4 +53,56 @@ (ntp-configuration (servers (list "example.pool.ntp.org"))))) =20 + +;;; +;;; OpenNTPD +;;; + +(define openntpd-configuration->string (@@ (gnu services networking) + openntpd-configuration->string)) + +(define %openntpd-conf-sample + (openntpd-configuration + (server '("0.guix.pool.ntp.org" "1.guix.pool.ntp.org")) + (listen-on '("127.0.0.1" "::1")) + (sensor '("udcf0 correction 70000")) + (constraint-from '("www.gnu.org")) + (constraints-from '("https://www.google.com/")) + (allow-large-adjustment? #t))) + +(test-assert "openntpd configuration generation sanity check" + + (begin + (define (string-match/newline pattern text) + (regexp-exec (make-regexp pattern regexp/newline) text)) + + (define (match-count pattern text) + (fold-matches (make-regexp pattern regexp/newline) text 0 + (lambda (match count) + (1+ count)))) + + (let ((config (openntpd-configuration->string %openntpd-conf-sample))) + (if (not + (and (string-match/newline "^listen on 127.0.0.1$" config) + (string-match/newline "^listen on ::1$" config) + (string-match/newline "^sensor udcf0 correction 70000$" co= nfig) + (string-match/newline "^constraint from www.gnu.org$" conf= ig) + (string-match/newline "^server 0.guix.pool.ntp.org$" confi= g) + (string-match/newline + "^constraints from \"https://www.google.com/\"$" + config) + + ;; Check for issue #3731 (see: + ;; http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D37318). + (=3D (match-count "^listen on " config) 2) + (=3D (match-count "^sensor " config) 1) + (=3D (match-count "^constraint from " config) 1) + (=3D (match-count "^server " config) 2) + (=3D (match-count "^constraints from " config) 1))) + (begin + (format #t "The configuration below failed \ +the sanity check:\n~a~%" config) + #f) + #t)))) + (test-end "networking") =2D-=20 2.23.0 --=-=-= Content-Type: text/x-patch Content-Disposition: attachment; filename=0004-services-openntpd-Fix-the-config-generation-code.patch Content-Transfer-Encoding: quoted-printable From=20e4a982cd4c356052a06990e05e3070650919caa3 Mon Sep 17 00:00:00 2001 From: Maxim Cournoyer Date: Sat, 7 Sep 2019 12:37:37 +0900 Subject: [PATCH 4/4] services: openntpd: Fix the config generation code. This fixes issue #37318 (see: http://bugs.gnu.org/37318). * gnu/services/networking.scm (openntpd-configuration->string): Rewrite in order to make the "openntpd configuration generation sanity check" test pas= s. =2D-- gnu/services/networking.scm | 33 +++++++++++++++++++++------------ 1 file changed, 21 insertions(+), 12 deletions(-) diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm index 432f3a80ee..fce82f3042 100644 =2D-- a/gnu/services/networking.scm +++ b/gnu/services/networking.scm @@ -505,22 +505,31 @@ make an initial adjustment of more than 1,000 seconds= ." (default #f))) ; upstream default =20 (define (openntpd-configuration->string config) + + (define (quote-field? name) + (member name '("constraints from"))) + (match-record config (listen-on query-from sensor server servers constraint-from constraints-from) (string-join =2D (filter-map =2D (lambda (field value) =2D (string-join =2D (map (cut string-append field <> "\n") =2D value))) =2D '("listen on " "query from " "sensor " "server " "servers " =2D "constraint from ") =2D (list listen-on query-from sensor server servers constraint-from)) =2D ;; The 'constraints from' field needs to be enclosed in double quot= es. =2D (string-join =2D (map (cut string-append "constraints from \"" <> "\"\n") =2D constraints-from))))) + (concatenate + (filter-map (lambda (field values) + (match values + (() #f) ;discard entry with filter-map + ((val ...) ;validate value type + (map (lambda (value) + (if (quote-field? field) + (format #f "~a \"~a\"" field value) + (format #f "~a ~a" field value))) + values)))) + ;; The entry names. + '("listen on" "query from" "sensor" "server" "servers" + "constraint from" "constraints from") + ;; The corresponding entry values. + (list listen-on query-from sensor server servers + constraint-from constraints-from))) + "\n"))) =20 (define (openntpd-shepherd-service config) (let ((openntpd (openntpd-configuration-openntpd config)) =2D-=20 2.23.0 --=-=-=-- --==-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEJ9WGpPiQCFQyn/CfEmDkZILmNWIFAl1zMEcACgkQEmDkZILm NWKJ7A//X9uBNhxRaANhM0THr1NTAPGR3V+YZPd01P455FQpMC6F86dFeyFYqU6S kOcDTk4NDrhGmW7jaacGX+oZ0JGWSPTIXV6/roTxo/NvSrjq7EG3/x/HiuuI9Lcg tVhOQX02hJbzR/lIIQDzJxqt7Elaih4vu5lUEM8GXSKLyM+NcLg3A2UhnVgGgFLm iHHVI3Ne8uzuE8jTvGYo9VdAnuFNYyxVjb3xyQsZ7m+XZcxfX6DTaYIMLY49R+1F z7cvGYwy2L3qorUVHSLrbMxNdMhsKiE0F05ioY8xiyoqytWtQM76rEGgK9m1AF+C 8LZcc+lYooK/222DLfspjR8zYiB9GIJ99cil9PeiAouPM97PTkEytMuHe1ZvrzRr z65jfGzzJfEloQg3Uynov94JhPJZ+O/GL31zsOKoHnXmHjBFxKcJ2Z9J1R4etToK SjTzRvciNbvAKz6vRYMPxLXJ2e+s/cAWKZOs7iTNkzvg+9Ge85amkTlqN9QpdsBO +8B20CVQmHuHhzUeE9eGguWppP4mTNKbhySrXbD+2Jywow6JP+0aVyOZj1G0IeMr B+KBDrUbPyZEQ/U9gCp0wrgbEVtiWbY9uH8GC9d4+TSrokFermG0Orx29Ifde6Fn o7aR4cVR92p9U+WaVum5RXbTJ/8or7a7wc2zJW8iuO0pIEcjfTc= =Z+ll -----END PGP SIGNATURE----- --==-=-=--